From owner-freebsd-isp Tue Apr 24 13: 1:27 2001 Delivered-To: freebsd-isp@freebsd.org Received: from ureach.com (mail.ureach.com [63.150.151.36]) by hub.freebsd.org (Postfix) with ESMTP id BB8BA37B422 for ; Tue, 24 Apr 2001 13:01:17 -0700 (PDT) (envelope-from pechter@ureach.com) Received: from www20.ureach.com (IDENT:root@www20.ureach.com [172.16.2.48]) by ureach.com (8.9.1/8.8.5) with ESMTP id QAA10252; Tue, 24 Apr 2001 16:01:17 -0400 Received: (from nobody@localhost) by www20.ureach.com (8.9.3/8.9.1) id QAA18631; Tue, 24 Apr 2001 16:01:17 -0400 Date: Tue, 24 Apr 2001 16:01:17 -0400 Message-Id: <200104242001.QAA18631@www20.ureach.com> To: "alex huppenthal" , Eric_Stanfield@kenokozie.com From: Bill Pechter Reply-To: Subject: Re: Hacked, nah probably cvsup. Cc: freebsd-isp@FreeBSD.ORG Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-vsuite-type: e Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org nslookup shows the following on that address Name: burka.rdy.com Address: 205.149.189.91 Name's familliar... used to be my cvsup source... which when looked up as cvsup2.freebsd.org Name: burka.rdy.com Address: 205.149.189.91 Aliases: cvsup2.freebsd.org in /etc/services cvsup 5999/tcp Are you cron'ing cvsup updates? Bill -- Bill Pechter Systems Administrator ---- On Tue, 24 Apr 2001, alex huppenthal (alex@aspenworks.com) wrote: > Thanks, > > I don't see the 5999 port address listed. yet, the packet count > continues > to grow. > > The data is of no use, it's just compressed webpages, but it concerns > me > that the BSD router between the Internet and target system has this > interesting listing. I setup a pipe to limit bandwidth to the target > machine, and to watch. > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > Drp > 0 tcp 205.149.189.91/5999 66.28.18.3/1027 123814 103707137 0 > 0 0 > > Checking > > http://205.149.189.91/ > > Doesn't give me a warm and fuzzy feeling. > > > ----- Original Message ----- > From: > To: "alex huppenthal" > Cc: > Sent: Tuesday, April 24, 2001 1:43 PM > Subject: Re: IPFW ? hacked? > > > > > > I would do: > > > > [exs@mrtg]> sockstat -4u |more > > > > and see what process is talking to that address. I set up a linux box > not > > to long ago and before I got back to it to tighten it down, some punk > from > > an Israeli dsl provider rooted it and set up an app that would let him > > access the box. The process he loaded changed its name in ps to > something > > harmless like cron or something (I don't recall) and had I not looked > at > > netstat (which shows more on a linux box) I would never have found out > what > > happened. > > > > I really hope you didn't get rooted as one of the main reasons I go > about > > preaching the goodness of all things freebsd is that I've never had a > bsd > > box hacked. > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > Eric Stanfield, K2Access > > Keno Kozie Associates > > 222 N LaSalle #1500 > > Chicago, IL 60606 > > (312) 332-3000 > > > > > > > > > > > > "alex huppenthal" > > > > m> cc: > > Sent by: Subject: IPFW ? > hacked? > > owner-freebsd-isp@F > > reeBSD.ORG > > > > > > 04/24/01 02:32 PM > > > > > > > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > > > Interestingly, I see 205.149.189.91 as a destination IP address at > port > > 5999 > > collecting data from x.x.18.3 > > > > I don't know 205.149.189.91 or have any process running to that site. > > However, the numbers are increasing. > > > > Anyone seen this behavior? > > > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 > 0 > > 0 > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message